After disclosing couple of Zero-day vulnerabilities in a month on Microsoft Windows OS, which effects Windows 7, 8 and Windows 8.1, now Google Project team have reveals total three vulnerabilities on Apple OS X.
In last two days, Google security Zero-team have discloses three vulnerabilities on OS X but none of them is such critical as was of Microsoft Windows. The first flaw, "OS X networkd "effective_audit_token" XPC type confusion sandbox escape," which involves circumvention of commands in the network system, may be mitigated in OS X Yosemite.
The Second flaw which is titled "OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator," reveals that attacker will able to execute code on OS X IOKit kernel and to exploit the vulnerability researcher have provided a program which gives root access on the exploited system.
The third flaw again resides on the OS X IOKit kernel. There was a memory corruption on the OS X IOKit kernel because of bad bzero in IOBluetooth Device. To exploit the vulnerability system must have connected bluetooth device.
All the three vulnerabilities is not much critical, since all three appear to require the attacker to already have some access to a targeted machine.
Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities. The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period Project Zero gives developers before making reports public.
In last two days, Google security Zero-team have discloses three vulnerabilities on OS X but none of them is such critical as was of Microsoft Windows. The first flaw, "OS X networkd "effective_audit_token" XPC type confusion sandbox escape," which involves circumvention of commands in the network system, may be mitigated in OS X Yosemite.
The third flaw again resides on the OS X IOKit kernel. There was a memory corruption on the OS X IOKit kernel because of bad bzero in IOBluetooth Device. To exploit the vulnerability system must have connected bluetooth device.
All the three vulnerabilities is not much critical, since all three appear to require the attacker to already have some access to a targeted machine.
Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities. The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period Project Zero gives developers before making reports public.